Skip to content

ci: enable GitHub Actions workflows to support fork PRs#250

Merged
jeremyeder merged 1 commit intoambient-code:mainfrom
chambridge:ci/fork-pr-support
Jan 14, 2026
Merged

ci: enable GitHub Actions workflows to support fork PRs#250
jeremyeder merged 1 commit intoambient-code:mainfrom
chambridge:ci/fork-pr-support

Conversation

@chambridge
Copy link
Copy Markdown
Contributor

@chambridge chambridge commented Jan 14, 2026

Description

Refactor CI workflows to handle fork PRs which have limited permissions and cannot post comments directly.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test coverage improvement

Related Issues

Fixes "Resource not accessible by integration" errors for external contributor PRs from forks.

Changes Made

  • ci.yml: Save coverage data as artifact instead of posting comment directly (which fails on forks due to permissions)
  • coverage-comment.yml: New workflow using workflow_run trigger to post coverage comments with write permissions in upstream context. Includes security validation of PR number to prevent cross-PR comment injection.
  • pr-review-auto-fix.yml: Add allowed_non_write_users: '*' to enable Claude Code Review on fork PRs (claude-code-action#579)

Testing

  • actionlint: All 3 workflow files pass validation (ci.yml, coverage-comment.yml, pr-review-auto-fix.yml)

  • Security review: Validated PR number injection mitigation - uses trusted PR number from GitHub API, not artifact

  • No runtime tests: Workflow changes can only be fully tested when triggered by actual fork PRs in the upstream repo

  • Unit tests pass (pytest)

  • Integration tests pass

  • Manual testing performed

  • No new warnings or errors

Checklist

  • My code follows the project's code style
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

@chambridge @claude
ci: enable GitHub Actions workflows to support fork PRs
b13763f 
Refactor CI workflows to handle fork PRs which have limited permissions
and cannot post comments directly.

Changes:
- ci.yml: Save coverage data as artifact instead of posting comment
  directly (which fails on forks due to permissions)
- coverage-comment.yml: New workflow using workflow_run trigger to post
  coverage comments with write permissions in upstream context. Includes
  security validation of PR number to prevent cross-PR comment injection.
- pr-review-auto-fix.yml: Add allowed_non_write_users: '*' to enable
  Claude Code Review on fork PRs (claude-code-action#579)

Fixes "Resource not accessible by integration" errors for external
contributor PRs from forks.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Chris Hambridge <chambrid@redhat.com>
@jeremyeder jeremyeder merged commit 538e703 into ambient-code:main Jan 14, 2026
10 checks passed
@chambridge chambridge deleted the ci/fork-pr-support branch January 14, 2026 21:31
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 15, 2026

🎉 This PR is included in version 2.22.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

kami619 pushed a commit to kami619/agentready that referenced this pull request Jan 15, 2026
@chambridge @claude @kami619
ci: enable GitHub Actions workflows to support fork PRs (ambient-code…
f4b4f41 
…#250)

Refactor CI workflows to handle fork PRs which have limited permissions
and cannot post comments directly.

Changes:
- ci.yml: Save coverage data as artifact instead of posting comment
  directly (which fails on forks due to permissions)
- coverage-comment.yml: New workflow using workflow_run trigger to post
  coverage comments with write permissions in upstream context. Includes
  security validation of PR number to prevent cross-PR comment injection.
- pr-review-auto-fix.yml: Add allowed_non_write_users: '*' to enable
  Claude Code Review on fork PRs (claude-code-action#579)

Fixes "Resource not accessible by integration" errors for external
contributor PRs from forks.

Signed-off-by: Chris Hambridge <chambrid@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
jeremyeder pushed a commit that referenced this pull request Feb 6, 2026
@chambridge @claude @jeremyeder
ci: enable GitHub Actions workflows to support fork PRs (#250)
0d590af 
Refactor CI workflows to handle fork PRs which have limited permissions
and cannot post comments directly.

Changes:
- ci.yml: Save coverage data as artifact instead of posting comment
  directly (which fails on forks due to permissions)
- coverage-comment.yml: New workflow using workflow_run trigger to post
  coverage comments with write permissions in upstream context. Includes
  security validation of PR number to prevent cross-PR comment injection.
- pr-review-auto-fix.yml: Add allowed_non_write_users: '*' to enable
  Claude Code Review on fork PRs (claude-code-action#579)

Fixes "Resource not accessible by integration" errors for external
contributor PRs from forks.

Signed-off-by: Chris Hambridge <chambrid@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chambridge @jeremyeder